{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T03:30:11Z","timestamp":1781062211473,"version":"3.54.1"},"reference-count":100,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2025,3,31]],"date-time":"2025-03-31T00:00:00Z","timestamp":1743379200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,31]],"date-time":"2025-03-31T00:00:00Z","timestamp":1743379200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,5]]},"abstract":"Abstract<\/jats:title>\n \n The growing use of third-party libraries in software development poses a hidden security risk, as vulnerabilities in these libraries can easily spread to dependent applications. Project maintainers must remain vigilant regarding updates and patches for these external libraries, a responsibility that is facilitated by automated tools, also known as\n bots<\/jats:italic>\n . This study centers on Dependabot, a widely adopted bot that offers security and version updates. We aim to scrutinize the impact of Dependabot on mitigating vulnerabilities arising from dependencies, preventing potential prolonged security issues in open-source software. We investigate how developers react to security updates provided by Dependabot within engineered and actively maintained JavaScript projects. We also delve into how project attributes, including the integration of tests and continuous integration (CI) tools, influence the acceptance rate of security updates. Additionally, we perform a detailed analysis of the lifespan of each vulnerability to demonstrate how they are dealt with when Dependabot is in use. Our findings reveal a significant reliance on Dependabot by developers for managing security vulnerabilities in dependencies, with most updates being merged swiftly within days. We find that projects equipped with tests and CI tools are more likely to merge security updates. Conversely, when developers opt not to merge a security update, they often manually address the identified vulnerability. This manual approach, however, could span over several months, potentially exposing projects to security risks. Crucially, in many instances, the manual fixes are potentially inspired by earlier security updates, underscoring Dependabot\u2019s pivotal role in safeguarding dependencies.\n <\/jats:p>","DOI":"10.1007\/s10664-025-10638-w","type":"journal-article","created":{"date-parts":[[2025,4,1]],"date-time":"2025-04-01T21:18:18Z","timestamp":1743542298000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Securing dependencies: A comprehensive study of Dependabot\u2019s impact on vulnerability mitigation"],"prefix":"10.1007","volume":"30","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9434-4618","authenticated-orcid":false,"given":"Hamid","family":"Mohayeji","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Andrei","family":"Agaronian","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Eleni","family":"Constantinou","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Nicola","family":"Zannone","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alexander","family":"Serebrenik","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,3,31]]},"reference":[{"key":"10638_CR1","doi-asserted-by":"crossref","unstructured":"Aalen O, Borgan O, Gjessing H (2008) Survival and event history analysis: a process point of view. Springer Science & Business Media","DOI":"10.1007\/978-0-387-68560-1"},{"key":"10638_CR2","unstructured":"Abrahamsson P, Salo O, Ronkainen J, Warsta J (2017) Agile software development methods: review and analysis. arXiv:1709.08439"},{"key":"10638_CR3","unstructured":"Alfadel M, Costa DE, Mokhallalati M, Shihab E, Adams B (2020) On the threat of npm vulnerable dependencies in node.js applications. arXiv:2009.09019"},{"key":"10638_CR4","doi-asserted-by":"publisher","unstructured":"Alfadel M, Costa DE, Shihab E, Adams B (2023) On the discoverability of npm vulnerabilities in node.js projects. ACM Trans Softw Eng Methodol 32(4). https:\/\/doi.org\/10.1145\/3571848","DOI":"10.1145\/3571848"},{"key":"10638_CR5","doi-asserted-by":"publisher","unstructured":"Alfadel M, Costa DE, Shihab E, Mkhallalati M (2021) On the use of dependabot security pull requests. In: 2021 IEEE\/ACM 18th international conference on Mining Software Repositories (MSR), pp 254\u2013265. https:\/\/doi.org\/10.1109\/MSR52588.2021.00037","DOI":"10.1109\/MSR52588.2021.00037"},{"key":"10638_CR6","unstructured":"APA (1994) Publication manual of the American Psychological Association, 4th edn. American Psychological Association, pp 16\u201318"},{"issue":"5","key":"10638_CR7","doi-asserted-by":"publisher","first-page":"502","DOI":"10.1111\/opo.12131","volume":"34","author":"RA Armstrong","year":"2014","unstructured":"Armstrong RA (2014) When to use the Bonferroni correction. Ophthalmic Physiol Opt 34(5):502\u2013508","journal-title":"Ophthalmic Physiol Opt"},{"key":"10638_CR8","doi-asserted-by":"crossref","unstructured":"Backes M, Bugiel S, Derr E (2016) Reliable third-party library detection in android and its security applications. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 356\u2013367","DOI":"10.1145\/2976749.2978333"},{"issue":"10","key":"10638_CR9","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1145\/236156.236184","volume":"39","author":"VR Basili","year":"1996","unstructured":"Basili VR, Briand LC, Melo WL (1996) How reuse influences productivity in object-oriented systems. Commun ACM 39(10):104\u2013116. https:\/\/doi.org\/10.1145\/236156.236184","journal-title":"Commun ACM"},{"issue":"1","key":"10638_CR10","doi-asserted-by":"publisher","first-page":"289","DOI":"10.1111\/j.2517-6161.1995.tb02031.x","volume":"57","author":"Y Benjamini","year":"1995","unstructured":"Benjamini Y, Hochberg Y (1995) Controlling the false discovery rate: a practical and powerful approach to multiple testing. J R Stat Soc Ser B (Methodological) 57(1):289\u2013300","journal-title":"J R Stat Soc Ser B (Methodological)"},{"key":"10638_CR11","doi-asserted-by":"crossref","unstructured":"Bogart C, K\u00e4stner C, Herbsleb J (2015) When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies. In: 2015 30th IEEE\/ACM international conference on Automated Software Engineering Workshop (ASEW). IEEE, pp 86\u201389","DOI":"10.1109\/ASEW.2015.21"},{"key":"10638_CR12","doi-asserted-by":"crossref","unstructured":"Bogart C, K\u00e4stner C, Herbsleb J, Thung F (2016) How to break an API: cost negotiation and community values in three software ecosystems. In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering, pp 109\u2013120","DOI":"10.1145\/2950290.2950325"},{"key":"10638_CR13","unstructured":"Brito G, Terra R, Valente MT (2018) Monorepos: a multivocal literature review. arXiv:1810.09477"},{"key":"10638_CR14","doi-asserted-by":"crossref","unstructured":"Brown C, Parnin C (2019) Sorry to bother you: designing bots for effective recommendations. In: 2019 IEEE\/ACM 1st International Workshop on Bots in Software Engineering (BotSE). IEEE, pp 54\u201358","DOI":"10.1109\/BotSE.2019.00021"},{"key":"10638_CR15","unstructured":"Burrows D, Fernandez\u00a0Montecelo MA (2016) What is package manager? In: aptitude user\u2019s manual, Free Software Foundation. https:\/\/www.debian.org\/doc\/manuals\/aptitude\/pr01s02.en.html"},{"issue":"3","key":"10638_CR16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-09951-x","volume":"26","author":"B Chinthanet","year":"2021","unstructured":"Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2021) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empir Softw Eng 26(3):1\u201328","journal-title":"Empir Softw Eng"},{"key":"10638_CR17","unstructured":"Cohen J (1988) Statistical power analysis for the behavioral sciences, 2nd edn. L. Erlbaum Associates, pp 224\u2013226"},{"issue":"2","key":"10638_CR18","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s11334-017-0303-4","volume":"13","author":"E Constantinou","year":"2017","unstructured":"Constantinou E, Mens T (2017) An empirical comparison of developer retention in the rubygems and npm software ecosystems. Innov Syst Softw Eng 13(2):101\u2013115","journal-title":"Innov Syst Softw Eng"},{"key":"10638_CR19","doi-asserted-by":"crossref","unstructured":"Cox J, Bouwers E, Van\u00a0Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE\/ACM 37th IEEE international conference on software engineering. IEEE, vol\u00a02, pp 109\u2013118","DOI":"10.1109\/ICSE.2015.140"},{"key":"10638_CR20","doi-asserted-by":"crossref","unstructured":"Cram\u00e9r H (1946) Mathematical methods of statistics. Princeton University Press, chap 21, p 282","DOI":"10.1515\/9781400883868"},{"issue":"1","key":"10638_CR21","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1007\/s10664-017-9589-y","volume":"24","author":"A Decan","year":"2019","unstructured":"Decan A, Mens T, Grosjean P (2019) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng 24(1):381\u2013416","journal-title":"Empir Softw Eng"},{"key":"10638_CR22","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in oss packaging ecosystems. In: 2017 IEEE 24th international conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, pp 2\u201312","DOI":"10.1109\/SANER.2017.7884604"},{"key":"10638_CR23","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018a) On the evolution of technical lag in the npm package dependency network. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, pp 404\u2013414","DOI":"10.1109\/ICSME.2018.00050"},{"key":"10638_CR24","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018b) On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories, pp 181\u2013191","DOI":"10.1145\/3196398.3196401"},{"key":"10638_CR25","doi-asserted-by":"publisher","unstructured":"Del\u010dev S, Dra\u0161kovi\u0107 D (2018) Modern javascript frameworks: a survey study. In: 2018 Zooming Innovation in Consumer Technologies Conference (ZINC), pp 106\u2013109. https:\/\/doi.org\/10.1109\/ZINC.2018.8448444","DOI":"10.1109\/ZINC.2018.8448444"},{"key":"10638_CR26","unstructured":"Dependabot (2020) chore(deps): bump acorn from 5.6.2 to 5.7.4. pull request #1008 carbon-design-system\/carbon-addons-iot-react. https:\/\/github.com\/carbon-design-system\/carbon-addons-iot-react\/pull\/1008. [Online] Last Accessed 11 Jan 2024"},{"key":"10638_CR27","unstructured":"Dependabot (n.d.) Dependabot-preview. https:\/\/github.com\/marketplace\/dependabot-preview\/. [Online] Last Accessed 21 Mar 2021"},{"key":"10638_CR28","unstructured":"Depfu (2020) Depfu. https:\/\/depfu.com\/. [Online] Last Accessed 18 Oct 2024"},{"key":"10638_CR29","doi-asserted-by":"crossref","unstructured":"Derr E, Bugiel S, Fahl S, Acar Y, Backes M (2017) Keep me updated: An empirical study of third-party library updatability on android. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 2187\u20132200","DOI":"10.1145\/3133956.3134059"},{"key":"10638_CR30","unstructured":"Di\u00a0Cosmo R, Zacchiroli S (2017) Software heritage: why and how to preserve software source code. In: iPRES 2017-14th international conference on digital preservation, pp 1\u201310"},{"key":"10638_CR31","doi-asserted-by":"publisher","first-page":"e849","DOI":"10.7717\/peerj-cs.849","volume":"8","author":"L Erlenhov","year":"2022","unstructured":"Erlenhov L, de Oliveira Neto FG, Leitner P (2022) Dependency management bots in open-source systems\u2014prevalence and adoption. PeerJ Comput Sci 8:e849","journal-title":"PeerJ Comput Sci"},{"key":"10638_CR32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1214\/09-SS051","volume":"4","author":"MP Fay","year":"2010","unstructured":"Fay MP, Proschan MA (2010) Wilcoxon-Mann-Whitney or t-test? On assumptions for hypothesis tests and multiple interpretations of decision rules. Stat Surv 4:1","journal-title":"Stat Surv"},{"key":"10638_CR33","unstructured":"Fleming TR, Harrington DP (2011) Counting processes and survival analysis, vol 169. John Wiley & Sons"},{"issue":"7","key":"10638_CR34","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1109\/TSE.2005.85","volume":"31","author":"WB Frakes","year":"2005","unstructured":"Frakes WB, Kang K (2005) Software reuse research: status and future. IEEE Trans Softw Eng 31(7):529\u2013536","journal-title":"IEEE Trans Softw Eng"},{"key":"10638_CR35","unstructured":"Gebauer J (2015) Pyup. https:\/\/pyup.io\/. [Online] Last Accessed 18 Jan 2023"},{"key":"10638_CR36","unstructured":"GitHub (2020) Securing the world\u2019s software: the 2020 state of the octoverse. https:\/\/octoverse.github.com\/static\/github-octoverse-2020-security-report.pdf, [Online] Last Accessed 18 Jan 2023"},{"key":"10638_CR37","unstructured":"GitHub (n.d.) About Dependabot security updates. https:\/\/docs.github.com\/en\/code-security\/dependabot\/dependabot-security-updates\/about-dependabot-security-updates. [Online] Last Accessed 11 Jan 2024"},{"key":"10638_CR38","doi-asserted-by":"crossref","unstructured":"Golzadeh M, Decan A, Mens T (2022) On the rise and fall of ci services in Github. In: 2022 IEEE international conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, pp 662\u2013672","DOI":"10.1109\/SANER53432.2022.00084"},{"key":"10638_CR39","doi-asserted-by":"crossref","unstructured":"Haenni N, Lungu M, Schwarz N, Nierstrasz O (2013) Categorizing developer information needs in software ecosystems. In: Proceedings of the 2013 international workshop on ecosystem architectures, pp 1\u20135","DOI":"10.1145\/2501585.2501586"},{"key":"10638_CR40","unstructured":"Healey JF (2009) Statistics: a Tool for social research, 8th edn. Wadsworth Cengage Learning, pp 316\u2013317"},{"key":"10638_CR41","doi-asserted-by":"publisher","unstructured":"He R, He H, Zhang Y, Zhou M (2022) Automating dependency updates in practice: an exploratory study on Github Dependabot. https:\/\/doi.org\/10.48550\/ARXIV.2206.07230. arxiv.org\/abs\/2206.07230","DOI":"10.48550\/ARXIV.2206.07230"},{"issue":"3","key":"10638_CR42","doi-asserted-by":"publisher","first-page":"469","DOI":"10.1080\/10618600.2017.1305277","volume":"26","author":"HW Heike Hofmann","year":"2017","unstructured":"Heike Hofmann HW, Kafadar K (2017) Letter-value plots: boxplots for large data. J Comput Graph Stat 26(3):469\u2013477. https:\/\/doi.org\/10.1080\/10618600.2017.1305277","journal-title":"J Comput Graph Stat"},{"issue":"5","key":"10638_CR43","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1007\/s10664-021-10071-9","volume":"27","author":"J Hejderup","year":"2022","unstructured":"Hejderup J, Beller M, Triantafyllou K, Gousios G (2022) Pr\u00e4zi: from package-based to call-based dependency networks. Empir Softw Eng 27(5):102","journal-title":"Empir Softw Eng"},{"key":"10638_CR44","unstructured":"Howell DC (2007) Statistical methods for psychology, 5th edn. Wadsworth, p 165"},{"key":"10638_CR45","doi-asserted-by":"crossref","unstructured":"Huang J, Borges N, Bugiel S, Backes M (2019) Up-to-crash: evaluating third-party library updatability on android. In: 2019 IEEE European Symposium on Security and Privacy (EuroS &P). IEEE, pp 15\u201330","DOI":"10.1109\/EuroSP.2019.00012"},{"key":"10638_CR46","unstructured":"Hutchings J (2019) Introducing new ways to keep your code secure. https:\/\/github.blog\/2019-05-23-introducing-new-ways-to-keep-your-code-secure\/, [Online] Last Accessed 11 Jan 2024"},{"key":"10638_CR47","doi-asserted-by":"publisher","unstructured":"Irshad M, Torkar R, Petersen K, Afzal W (2016) Capturing cost avoidance through reuse: systematic literature review and industrial evaluation. In: Proceedings of the 20th international conference on evaluation and assessment in software engineering, Association for Computing Machinery, New York, NY, USA, EASE \u201916. https:\/\/doi.org\/10.1145\/2915970.2915989","DOI":"10.1145\/2915970.2915989"},{"key":"10638_CR48","doi-asserted-by":"crossref","unstructured":"Jafari AJ, Costa DE, Shihab E, Abdalkareem R (2023) Dependency update strategies and package characteristics. ACM Trans Softw Eng Methodol 32:1\u201329. https:\/\/api.semanticscholar.org\/CorpusID:258887857","DOI":"10.1145\/3603110"},{"key":"10638_CR49","doi-asserted-by":"crossref","unstructured":"Joy A, Thangavelu S, Jyotishi A (2018) Performance of github open-source software project: an empirical analysis. In: 2018 Second International Conference on Advances in Electronics, Computers and Communications (ICAECC). IEEE, pp 1\u20136","DOI":"10.1109\/ICAECC.2018.8479462"},{"key":"10638_CR50","doi-asserted-by":"crossref","unstructured":"Kalliamvakou E, Gousios G, Blincoe K, Singer L, German DM, Damian D (2014) The promises and perils of mining github. In: Proceedings of the 11th working conference on mining software repositories, pp 92\u2013101","DOI":"10.1145\/2597073.2597074"},{"issue":"282","key":"10638_CR51","doi-asserted-by":"publisher","first-page":"457","DOI":"10.1080\/01621459.1958.10501452","volume":"53","author":"EL Kaplan","year":"1958","unstructured":"Kaplan EL, Meier P (1958) Nonparametric estimation from incomplete observations. J Am Stat Assoc 53(282):457\u2013481","journal-title":"J Am Stat Assoc"},{"key":"10638_CR52","doi-asserted-by":"crossref","unstructured":"Kavaler D, Trockman A, Vasilescu B, Filkov V (2019) Tool choice matters: Javascript quality assurance tools and usage outcomes in Github projects. In: 2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE). IEEE, pp 476\u2013487","DOI":"10.1109\/ICSE.2019.00060"},{"key":"10638_CR53","doi-asserted-by":"crossref","unstructured":"Kokoska S, Zwillinger D (2000) CRC standard probability and statistics tables and formulae. Crc Press, Section 2.2.24","DOI":"10.1201\/b16923"},{"key":"10638_CR54","doi-asserted-by":"publisher","unstructured":"Kr\u00fcger J, Berger T (2020) An empirical analysis of the costs of clone- and platform-oriented software reuse. In: Proceedings of the 28th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering. Association for Computing Machinery, New York, NY, USA, ESEC\/FSE 2020, pp 432\u2013444. https:\/\/doi.org\/10.1145\/3368089.3409684","DOI":"10.1145\/3368089.3409684"},{"issue":"1","key":"10638_CR55","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empir Softw Eng 23(1):384\u2013417","journal-title":"Empir Softw Eng"},{"key":"10638_CR56","unstructured":"Lanza M, Marinescu R (2007) Object-oriented metrics in practice: using software metrics to characterize, evaluate, and improve the design of object-oriented systems. Springer Science & Business Media"},{"key":"10638_CR57","doi-asserted-by":"crossref","unstructured":"Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E (2018) Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. arXiv:1811.00918","DOI":"10.14722\/ndss.2017.23414"},{"issue":"5","key":"10638_CR58","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1109\/52.311048","volume":"11","author":"W Lim","year":"1994","unstructured":"Lim W (1994) Effects of reuse on quality, productivity, and economics. IEEE Softw 11(5):23\u201330. https:\/\/doi.org\/10.1109\/52.311048","journal-title":"IEEE Softw"},{"key":"10638_CR59","doi-asserted-by":"publisher","unstructured":"Lin JW, Salehnamadi N, Malek S (2021) Test automation in open-source android apps: a large-scale empirical study. Association for Computing Machinery, New York, NY, USA, ASE \u201920, pp 1078\u20131089. https:\/\/doi.org\/10.1145\/3324884.3416623","DOI":"10.1145\/3324884.3416623"},{"key":"10638_CR60","doi-asserted-by":"crossref","unstructured":"Lin B, Robles G, Serebrenik A (2017) Developer turnover in global, industrial open source projects: insights from applying survival analysis. In: 2017 IEEE 12th International Conference on Global Software Engineering (ICGSE). IEEE, pp 66\u201375","DOI":"10.1109\/ICGSE.2017.11"},{"key":"10638_CR61","doi-asserted-by":"crossref","unstructured":"Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2022) Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. 2022 IEEE\/ACM 44th International Conference on Software Engineering (ICSE), pp 672\u2013684. https:\/\/api.semanticscholar.org\/CorpusID:245853604","DOI":"10.1145\/3510003.3510142"},{"key":"10638_CR62","doi-asserted-by":"crossref","unstructured":"Liu D, Smith MJ, Veeramachaneni K (2020) Understanding user-bot interactions for small-scale automation in open-source development. In: Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems, pp 1\u20138","DOI":"10.1145\/3334480.3382998"},{"key":"10638_CR63","unstructured":"McDonald M (2021) Goodbye Dependabot preview, hello Dependabot! GitHub blog. https:\/\/github.blog\/2021-04-29-goodbye-dependabot-preview-hello-dependabot\/. [Online] Last Accessed 11 Jan 2024"},{"issue":"2","key":"10638_CR64","doi-asserted-by":"publisher","first-page":"143","DOI":"10.11613\/BM.2013.018","volume":"23","author":"ML McHugh","year":"2013","unstructured":"McHugh ML (2013) The chi-square test of independence. Biochem Med 23(2):143\u2013149","journal-title":"Biochem Med"},{"key":"10638_CR65","unstructured":"Mend (n.d.) Renovate. https:\/\/github.com\/marketplace\/renovate\/. [Online] Last Accessed 11 Jan 2024"},{"key":"10638_CR66","doi-asserted-by":"crossref","unstructured":"Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In: 2017 32nd IEEE\/ACM international conference on Automated Software Engineering (ASE). IEEE, pp 84\u201394","DOI":"10.1109\/ASE.2017.8115621"},{"key":"10638_CR67","volume-title":"Econometric foundations","author":"RC Mittelhammer","year":"2000","unstructured":"Mittelhammer RC, Judge GG, Miller DJ (2000) Econometric foundations. Cambridge University Press"},{"key":"10638_CR68","doi-asserted-by":"publisher","unstructured":"Mohagheghi P, Conradi R, Killi O, Schwarz H (2004) An empirical study of software reuse vs. defect-density and stability. In: Proceedings. 26th international conference on software engineering, pp 282\u2013291. https:\/\/doi.org\/10.1109\/ICSE.2004.1317450","DOI":"10.1109\/ICSE.2004.1317450"},{"key":"10638_CR69","doi-asserted-by":"publisher","unstructured":"Mohayeji H, Agaronian A, Constantinou E, Zannone N, Serebrenik A (2023) Investigating the resolution of vulnerable dependencies with dependabot security updates. In: 2023 IEEE\/ACM 20th International Conference on Mining Software Repositories (MSR), pp 234\u2013246. https:\/\/doi.org\/10.1109\/MSR59073.2023.00042","DOI":"10.1109\/MSR59073.2023.00042"},{"key":"10638_CR70","doi-asserted-by":"publisher","unstructured":"Mohayeji H, Ebert F, Arts E, Constantinou E, Serebrenik A (2022) On the adoption of a todo bot on Github: a preliminary study. In: 2022 IEEE\/ACM 4th international workshop on Bots in Software Engineering (BotSE). IEEE Computer Society, Los Alamitos, CA, USA, pp 23\u201327. https:\/\/doi.org\/10.1145\/3528228.3528408. https:\/\/doi.ieeecomputersociety.org\/10.1145\/3528228.3528408","DOI":"10.1145\/3528228.3528408"},{"issue":"6","key":"10638_CR71","doi-asserted-by":"publisher","first-page":"3219","DOI":"10.1007\/s10664-017-9512-6","volume":"22","author":"N Munaiah","year":"2017","unstructured":"Munaiah N, Kroh S, Cabrey C, Nagappan M (2017) Curating Github for engineered software projects. Empir Softw Eng 22(6):3219\u20133253","journal-title":"Empir Softw Eng"},{"issue":"1","key":"10638_CR72","doi-asserted-by":"publisher","first-page":"13","DOI":"10.20982\/tqmp.04.1.p013","volume":"4","author":"N Nachar","year":"2008","unstructured":"Nachar N et al (2008) The Mann-Whitney u: a test for assessing whether two independent samples come from the same distribution. Tutorials Quant Methods Psychol 4(1):13\u201320","journal-title":"Tutorials Quant Methods Psychol"},{"key":"10638_CR73","unstructured":"Neighbourhoodie Software (2020) Greenkeeper automated dependency management. https:\/\/greenkeeper.io\/. [Online] Last Accessed 11 Jan 2024"},{"key":"10638_CR74","doi-asserted-by":"crossref","unstructured":"Nielsen BB, Torp MT, M\u00f8ller A (2021) Modular call graph construction for security scanning of node. js applications. In: Proceedings of the 30th ACM SIGSOFT international symposium on software testing and analysis, pp 29\u201341","DOI":"10.1145\/3460319.3464836"},{"key":"10638_CR75","doi-asserted-by":"publisher","unstructured":"Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2022) Vuln4real: a methodology for counting actually vulnerable dependencies. IEEE Trans Softw Eng 48(5):1592\u20131609. https:\/\/doi.org\/10.1109\/TSE.2020.3025443","DOI":"10.1109\/TSE.2020.3025443"},{"key":"10638_CR76","doi-asserted-by":"crossref","unstructured":"Pashchenko I, Vu DL, Massacci F (2020) A qualitative study of dependency management and its security implications. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 1513\u20131531","DOI":"10.1145\/3372297.3417232"},{"issue":"302","key":"10638_CR77","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1080\/14786440009463897","volume":"50","author":"K Pearson","year":"1900","unstructured":"Pearson K (1900) On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling. Lond Edinb Dublin Philos Mag J Sci 50(302):157\u2013175","journal-title":"Lond Edinb Dublin Philos Mag J Sci"},{"issue":"4","key":"10638_CR78","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-09959-3","volume":"26","author":"GAA Prana","year":"2021","unstructured":"Prana GAA, Sharma A, Shar LK, Foo D, Santosa AE, Sharma A, Lo D (2021) Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Empir Softw Eng 26(4):1\u201334","journal-title":"Empir Softw Eng"},{"key":"10638_CR79","doi-asserted-by":"publisher","unstructured":"Reichardt CS (2011) Criticisms of and an alternative to the shadish, cook, and campbell validity typology. New Dir Eval 130:43\u201353. https:\/\/doi.org\/10.1002\/ev.364. https:\/\/onlinelibrary.wiley.com\/doi\/abs\/10.1002\/ev.364","DOI":"10.1002\/ev.364"},{"key":"10638_CR80","doi-asserted-by":"crossref","unstructured":"Robillard MP, Arya DM, Ernst NA, Guo JL, Lamothe M, Nassif M, Novielli N, Serebrenik A, Steinmacher I, Stol KJ (2024) Communicating study design trade-offs in software engineering. ACM Trans Softw Eng Methodol","DOI":"10.1145\/3649598"},{"key":"10638_CR81","doi-asserted-by":"crossref","unstructured":"Rombaut B, C\u00f4go FR, Adams B, Hassan A (2022) There\u2019s no such thing as a free lunch: Lessons learned from exploring the overhead introduced by the greenkeeper dependency bot in npm. ACM Trans Softw Eng Methodol 32:1\u201340. https:\/\/api.semanticscholar.org\/CorpusID:248435571","DOI":"10.1145\/3522587"},{"issue":"9","key":"10638_CR82","doi-asserted-by":"publisher","first-page":"902","DOI":"10.1016\/j.infsof.2010.05.001","volume":"52","author":"I Samoladas","year":"2010","unstructured":"Samoladas I, Angelis L, Stamelos I (2010) Survival analysis on the duration of open source projects. Inf Softw Technol 52(9):902\u2013922","journal-title":"Inf Softw Technol"},{"key":"10638_CR83","volume-title":"Experimental and quasi-experimental designs for generalized causal inference","author":"WR Shadish","year":"2002","unstructured":"Shadish WR, Cook TD, Campbell DT (2002) Experimental and quasi-experimental designs for generalized causal inference. Houghton, Mifflin and Company"},{"key":"10638_CR84","unstructured":"Snyk Limited (n.d.) Snyk. https:\/\/github.com\/marketplace\/snyk\/. [Online] Last Accessed 11 Jan 2024"},{"issue":"4","key":"10638_CR85","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1109\/MSECP.2003.1219078","volume":"1","author":"HH Thompson","year":"2003","unstructured":"Thompson HH (2003) Why security testing is hard. IEEE Secur Privacy 1(4):83\u201386","journal-title":"IEEE Secur Privacy"},{"issue":"9","key":"10638_CR86","first-page":"575","volume":"16","author":"NS Turhan","year":"2020","unstructured":"Turhan NS (2020) Karl Pearson\u2019s chi-square tests. Educ Res Rev 16(9):575\u2013580","journal-title":"Educ Res Rev"},{"key":"10638_CR87","doi-asserted-by":"publisher","first-page":"107329","DOI":"10.1016\/J.INFSOF.2023.107329","volume":"164","author":"R Verdecchia","year":"2023","unstructured":"Verdecchia R, Engstr\u00f6m E, Lago P, Runeson P, Song Q (2023) Threats to validity in software engineering research: a critical reflection. Inf Softw Technol 164:107329. https:\/\/doi.org\/10.1016\/J.INFSOF.2023.107329","journal-title":"Inf Softw Technol"},{"issue":"5","key":"10638_CR88","first-page":"360","volume":"37","author":"AJ Viera","year":"2005","unstructured":"Viera AJ, Garrett JM (2005) Understanding interobserver agreement: the kappa statistic. Fam Med 37(5):360\u2013363","journal-title":"Fam Med"},{"key":"10638_CR89","doi-asserted-by":"crossref","unstructured":"Wang Y, Chen B, Huang K, Shi B, Xu C, Peng X, Wu Y, Liu Y (2020) An empirical study of usages, updates and risks of third-party libraries in java projects. In: 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, pp 35\u201345","DOI":"10.1109\/ICSME46990.2020.00014"},{"key":"10638_CR90","doi-asserted-by":"crossref","unstructured":"Wang Y, Sun P, Pei L, Yu Y, Xu C, Cheung SC, Yu H, Zhu Z (2023) Plumber: boosting the propagation of vulnerability fixes in the npm ecosystem. IEEE Trans Softw Eng 49:3155\u20133181. https:\/\/api.semanticscholar.org\/CorpusID:256710267","DOI":"10.1109\/TSE.2023.3243262"},{"key":"10638_CR91","doi-asserted-by":"crossref","unstructured":"Wessel M, De Souza BM, Steinmacher I, Wiese IS, Polato I, Chaves AP, Gerosa MA (2018) The power of bots: characterizing and understanding bots in oss projects. Proc ACM Hum-Comput Interaction 2(CSCW):1\u201319","DOI":"10.1145\/3274451"},{"key":"10638_CR92","doi-asserted-by":"crossref","unstructured":"Wessel M, Serebrenik A, Wiese I, Steinmacher I, Gerosa MA (2020) Effects of adopting code review bots on pull requests to OSS projects. In: 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, pp 1\u201311","DOI":"10.1109\/ICSME46990.2020.00011"},{"key":"10638_CR93","doi-asserted-by":"crossref","unstructured":"Wessel M, Steinmacher I (2020) The inconvenient side of software bots on pull requests. In: Proceedings of the IEEE\/ACM 42nd international conference on software engineering workshops, pp 51\u201355","DOI":"10.1145\/3387940.3391504"},{"key":"10638_CR94","doi-asserted-by":"publisher","unstructured":"Wessel M, Wiese I, Steinmacher I, Gerosa MA (2021) Don\u2019t disturb me: challenges of interacting with softwarebots on open source software projects. Proc ACM Hum-Comput Interact 5(CSCW2). https:\/\/doi.org\/10.1145\/3476042","DOI":"10.1145\/3476042"},{"key":"10638_CR95","doi-asserted-by":"publisher","unstructured":"Wyrich M, Ghit R, Haller T, M\u00fcller C (2021) Bots don\u2019t mind waiting, do they? Comparing the interaction with automatically and manually created pull requests. In: 2021 IEEE\/ACM Third international workshop on Bots in Software Engineering (BotSE), pp 6\u201310. https:\/\/doi.org\/10.1109\/BotSE52550.2021.00009","DOI":"10.1109\/BotSE52550.2021.00009"},{"key":"10638_CR96","doi-asserted-by":"crossref","unstructured":"Xu M, Wang Y, Cheung SC, Yu H, Zhu Z (2022) Insight: Exploring cross-ecosystem vulnerability impacts. Proceedings of the 37th IEEE\/ACM international conference on automated software engineering. https:\/\/api.semanticscholar.org\/CorpusID:255441443","DOI":"10.1145\/3551349.3556921"},{"key":"10638_CR97","doi-asserted-by":"crossref","unstructured":"Zar JH (2005) Spearman rank correlation. Encycl Biostat 7","DOI":"10.1002\/0470011815.b2a15150"},{"issue":"5","key":"10638_CR98","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1007\/s10664-022-10154-1","volume":"27","author":"A Zerouali","year":"2022","unstructured":"Zerouali A, Mens T, Decan A, Roover CD (2022) On the impact of security vulnerabilities in the npm and RubyGems dependency networks. Empir Softw Eng 27(5):107","journal-title":"Empir Softw Eng"},{"key":"10638_CR99","doi-asserted-by":"crossref","unstructured":"Zerouali A, Constantinou E, Mens T, Robles G, Gonz\u00e1lez-Barahona J (2018) An empirical analysis of technical lag in npm package dependencies. In: International conference on software reuse. Springer, pp 95\u2013110","DOI":"10.1007\/978-3-319-90421-4_6"},{"key":"10638_CR100","doi-asserted-by":"crossref","unstructured":"Zerouali A, Cosentino V, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the impact of outdated and vulnerable javascript packages in docker images. In: 2019 IEEE 26th international conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, pp 619\u2013623","DOI":"10.1109\/SANER.2019.8667984"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10638-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-025-10638-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-025-10638-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,20]],"date-time":"2025-11-20T13:28:05Z","timestamp":1763645285000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-025-10638-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,31]]},"references-count":100,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,5]]}},"alternative-id":["10638"],"URL":"https:\/\/doi.org\/10.1007\/s10664-025-10638-w","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,31]]},"assertion":[{"value":"7 March 2025","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"31 March 2025","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"89"}}